`AWSConfigRemediation-EnforceEC2InstanceIMDSv2`

Description

The AWSConfigRemediation-EnforceEC2InstanceIMDSv2 runbook requires the Amazon Elastic Compute Cloud (Amazon EC2) instance you specify to use Instance Metadata Service Version 2 (IMDSv2).

Run this Automation (console)

Document type

Automation

Owner

Amazon

Platforms

Linux, macOS, Windows

Parameters

InstanceId

Type: String

Description: (Required) The ID of the Amazon EC2 instance you want to require to use IMDSv2.
AutomationAssumeRole

Type: String

Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
HttpPutResponseHopLimit

Type: Integer

Description: (Optional) The Hop response limit from the IMDS service back to the requester. Set to 2 or greater for EC2 instances hosting containers. Set to 0 to not change (Default).

Allowed pattern: ^([1-5]?\d|6[0-4])$

Default: 0

Required IAM permissions

The AutomationAssumeRole parameter requires the following actions to use the runbook successfully.

ssm:StartAutomationExecution
ssm:GetAutomationExecution
ec2:DescribeInstances
ec2:ModifyInstanceMetadataOptions

Document Steps

aws:executeScript - Sets the HttpTokens option to required on the Amazon EC2 instance you specify in the InstanceId parameter.
aws:assertAwsResourceProperty - Verifies IMDSv2 is required on the Amazon EC2 instance.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWSConfigRemediation-EnableAutoScalingGroupELBHealthCheck

AWSEC2-CloneInstanceAndUpgradeSQLServer